secrets: allow allowInsecurePath for file providers

AaronWander · AaronWander · commit 7d9a3c2ea97b · 2026-03-09T10:28:05.000+08:00
diff --git a/src/config/config.secrets-schema.test.ts b/src/config/config.secrets-schema.test.ts
@@ -26,6 +26,7 @@ describe("config secret refs schema", () => {
             path: "~/.openclaw/secrets.json",
             mode: "json",
             timeoutMs: 10_000,
+            allowInsecurePath: true,
           },
           vault: {
             source: "exec",
diff --git a/src/config/types.secrets.ts b/src/config/types.secrets.ts
@@ -187,6 +187,7 @@ export type FileSecretProviderConfig = {
   mode?: FileSecretProviderMode;
   timeoutMs?: number;
   maxBytes?: number;
+  allowInsecurePath?: boolean;
 };
 
 export type ExecSecretProviderConfig = {
diff --git a/src/config/zod-schema.core.ts b/src/config/zod-schema.core.ts
@@ -101,6 +101,7 @@ const SecretsFileProviderSchema = z
       .positive()
       .max(20 * 1024 * 1024)
       .optional(),
+    allowInsecurePath: z.boolean().optional(),
   })
   .strict();
 
diff --git a/src/secrets/resolve.ts b/src/secrets/resolve.ts
@@ -289,6 +289,7 @@ async function readFileProviderPayload(params: {
     const secureFilePath = await assertSecurePath({
       targetPath: filePath,
       label: `secrets.providers.${params.providerName}.path`,
+      allowInsecurePath: params.providerConfig.allowInsecurePath,
     });
     const timeoutMs = normalizePositiveInt(
       params.providerConfig.timeoutMs,
diff --git a/src/secrets/runtime.test.ts b/src/secrets/runtime.test.ts
@@ -567,7 +567,12 @@ describe("secrets runtime snapshot", () => {
         config: asConfig({
           secrets: {
             providers: {
-              default: { source: "file", path: secretFile, mode: "json" },
+              default: {
+                source: "file",
+                path: secretFile,
+                mode: "json",
+                ...(process.platform === "win32" ? { allowInsecurePath: true } : {}),
+              },
             },
           },
           models: {
@@ -658,7 +663,12 @@ describe("secrets runtime snapshot", () => {
         config: asConfig({
           secrets: {
             providers: {
-              default: { source: "file", path: secretFile, mode: "json" },
+              default: {
+                source: "file",
+                path: secretFile,
+                mode: "json",
+                ...(process.platform === "win32" ? { allowInsecurePath: true } : {}),
+              },
             },
           },
           models: {
